Reword changelog entry for follow relationship bug

author rinpatch <rinpatch@sdf.org>

Thu, 30 Apr 2020 21:28:28 +0000 (00:28 +0300)

committer rinpatch <rinpatch@sdf.org>

Sat, 2 May 2020 16:05:13 +0000 (19:05 +0300)
author rinpatch <rinpatch@sdf.org>
Thu, 30 Apr 2020 21:28:28 +0000 (00:28 +0300)
committer rinpatch <rinpatch@sdf.org>
Sat, 2 May 2020 16:05:13 +0000 (19:05 +0300)
diff --git a/CHANGELOG.md b/CHANGELOG.md

index 54a0561b3695a714bd3f91fa44d6ad36a1508cc1..9279c1af0765745d94e935da99cd7cb664c74c60 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,11 +37,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  - Filtering of push notifications on activities from blocked domains
  
  ## [unreleased-patch]
+### Security
+- Mastodon API: Fix `POST /api/v1/follow_requests/:id/authorize` allowing to force a follow from a local user even if they didn't request to follow
+
  ### Fixed
  - Logger configuration through AdminFE
  - HTTP Basic Authentication permissions issue
  - ObjectAgePolicy didn't filter out old messages
-- Mastodon API: do not create a following relationship if the corresponding follow request doesn't exist when calling `POST /api/v1/follow_requests/:id/authorize`
  
  ### Added
  - NodeInfo: ObjectAgePolicy settings to the `federation` list.
author	rinpatch <rinpatch@sdf.org>
	Thu, 30 Apr 2020 21:28:28 +0000 (00:28 +0300)
committer	rinpatch <rinpatch@sdf.org>
	Sat, 2 May 2020 16:05:13 +0000 (19:05 +0300)